Configure DNS re-write
DNS rewrite is a feature to alter the resolved IP address for a particular domain name or URL, instead of returning the default resolved DNS record to client, essentially "spoofing" users to connect to another IP for a particular domain name or URL.
It typically required in below scenario:
- a private host (eg. DMZ server) is translated to a public IP, and accessible to public Internet (eg. web server, email server, CCTV, etc)
- external users access to the DMZ server via public IP using domain names (eg. abc.test.com). Name resolution is done by external DNS server, which resolves domain name to a public IP based on A-records settings. So ultimately, external users access to DMZ server via public IP address.
- Internal users also need to access the same DMZ server using same domain name (eg. abc.test.com), but must access via private IP address. However, there’s no internal DNS server to resolve the same domain name to server’s actual private IP address. So by default, Internal client’s PC also resolve the same domain to public IP address for the DMZ server and tends to connect to server using public IP instead of private IP. This is where the problem is, and this is what DNS rewrite is for. DNS rewrite allows mbox to rewrite DNS A-record for specific hosts, particularly when internal clients are trying to access private servers using a public domain name.
- DNS re-write can also be used for DNS-based web filtering. For example, if we want to block users to access to certain sites, we can alter the URL-IP mapping to a different server/IP showing blocking messages, so that users are unable to access to their intended websites/URL (therefore blocked).
Below is how mbox DNS rewrite works:
- when external users are accessing DMZ server via domain name, their public DNS server will resolve the domain name to a public IP. mbox does Destination NAT for the public IP to translate to server private IP address.
- when internal users are access DMZ server and external Internet, here is how it works:
- all internal clients DNS resolution requests are intercepted and redirected to mbox, which now acts as an Internal DNS server. The “redirection” can be done through mbox “firewall-dnat redirect” option, or simply configure mbox LAN IP to be the DNS server for internal clients (in their DHCP pool configuration option.)
- if there’s a matching in the “ip host <domain-name> <private-ip> rewrite” config, mbox will return the statically configured <private-ip> for the desired <domain-name>.
- if there’s no matching, mbox will use its upstream nameserver to resolve the domain name, so it’s important to configure mbox’s own upstream name-server “ip name-server <server1> <server2>”
In this example,
- all users from LAN must access to server abc.test.com via 10.1.1.2
- all users from Internet will access to server abc.test.com via 220.127.116.11
- all other DNS resolution requests from LAN users will be forwarded to upstream DNS server (18.104.22.168, 22.214.171.124)
!interface eth0description "connection to Internet"enableip address 126.96.36.199/28ip address 188.8.131.52/28 remarks “public IP for DMZ server”!interface eth1description "connection to LAN"enableip address 172.16.1.1/16dhcp-server router 172.16.1.1 range 172.16.1.5 172.16.1.254!interface eth2description "connection to DMZ"enableip address 10.1.1.1/24!ip host test.com 10.1.1.2 rewrite <--redirect to an DMZ IP (for internal users)!ip name-server 184.108.40.206 220.127.116.11!ip route 0.0.0.0/0 nexthop 18.104.22.168!ip dhcp-server start!firewall-input 13 permit inbound eth1 udp src 172.16.1.0/24 dport 53 remark "permit DNS request from internal users only"!firewall-dnat 00 redirect inbound eth1 udp dport 53 src 172.16.0.0/16 remark "intercept DNS requests"firewall-dnat 11 translate ip dst 22.214.171.124 xdst 10.1.1.2 <--- 1-to-1 DNAT for external clients to access DMZ server (static NAT)!firewall-access 10 permit outbound eth0 remark "permit outbound Internet access"firewall-access 20 permit all tcp dst 10.1.1.2 dport 80 remark "permit access to DMZ web server"firewall-access 21 permit all tcp dst 10.1.1.2 dport 443 remark "permit access to DMZ web server"!firewall-snat 1 overload outbound eth0 remark "PAT for Internal users to go out"